TO match current config - Refactor secrets-store-provider module: remove unused variables, update README, and add Helm chart templates

Author: sabarish244

aws/platform/main.tf

@@ -393,7 +393,7 @@ locals {
       ]
       image = {
         repository = "public.ecr.aws/aws-observability/aws-for-fluent-bit"
-        tag        = "2.31.6"
+        tag        = "2.22.0"
       }
       resources = {
         limits = {

aws/platform/modules/secrets-store-provider/README.md

@@ -22,10 +22,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_chart_name"></a> [chart\_name](#input\_chart\_name) | Helm chart to install | `string` | `null` | no |
-| <a name="input_chart_repository"></a> [chart\_repository](#input\_chart\_repository) | Helm repository containing the chart | `string` | `null` | no |
 | <a name="input_chart_values"></a> [chart\_values](#input\_chart\_values) | Overrides to pass to the Helm chart | `list(string)` | `[]` | no |
-| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version of chart to be installed | `string` | `null` | no |
-| <a name="input_k8s_namespace"></a> [k8s\_namespace](#input\_k8s\_namespace) | Kubernetes namespace in which the chart should be installed | `string` | `"kube-system"` | no |
-| <a name="input_name"></a> [name](#input\_name) | Name of this Helm release | `string` | `"csi-secrets-store-provider-aws"` | no |
+| <a name="input_k8s_namespace"></a> [k8s\_namespace](#input\_k8s\_namespace) | Kubernetes namespace in which resources will be written | `string` | `"kube-system"` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name for the Helm release | `string` | `"csi-secrets-store-provider-aws"` | no |
 <!-- END_TF_DOCS -->

aws/platform/modules/secrets-store-provider/chart.json

@@ -0,0 +1,12 @@
+# Based on the installation manifests from AWS:
+# https://github.com/aws/secrets-store-csi-driver-provider-aws/blob/main/deployment/aws-provider-installer.yaml
+
+apiVersion: v2
+name: csi-secrets-store-provider-aws
+description: AWS CSI secrets store provider
+
+type: application
+
+version: 0.1.1
+
+appVersion: 1.0.r2-2021.08.13.20.34-linux-amd64

aws/platform/modules/secrets-store-provider/chart/Chart.yaml

@@ -0,0 +1,63 @@
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ascp.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ascp.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ascp.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ascp.labels" -}}
+helm.sh/chart: {{ include "ascp.chart" . }}
+{{ include "ascp.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ascp.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ascp.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ascp.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ascp.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

aws/platform/modules/secrets-store-provider/chart/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{- if .Values.rbac.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ascp.fullname" . }}
+  labels:
+    {{- include "ascp.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["serviceaccounts/token"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["serviceaccounts"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get"]
+{{- end }}

aws/platform/modules/secrets-store-provider/chart/templates/clusterrole.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ascp.fullname" . }}
+  labels:
+    {{- include "ascp.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ascp.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ascp.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

aws/platform/modules/secrets-store-provider/chart/templates/clusterrolebinding.yaml

@@ -0,0 +1,83 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ascp.fullname" . }}
+  labels:
+    {{- include "ascp.labels" . | nindent 4 }}
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      {{- include "ascp.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.daemonset.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "ascp.selectorLabels" . | nindent 8 }}
+        {{- with .Values.daemonset.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.daemonset.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.daemonset.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "ascp.serviceAccountName" . }}
+      hostNetwork: true
+      containers:
+      - name: provider-aws-installer
+        {{- with .Values.daemonset.podSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+        image: "{{ .Values.daemonset.image.repository }}:{{ .Values.daemonset.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.daemonset.image.pullPolicy }}
+        args:
+        - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
+        resources:
+          {{- toYaml .Values.daemonset.resources | nindent 10 }}
+        {{- with .Values.daemonset.env }}
+        env:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.daemonset.envFrom }}
+        envFrom:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        volumeMounts:
+          - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
+            name: providervol
+          - name: mountpoint-dir
+            mountPath: /var/lib/kubelet/pods
+            mountPropagation: HostToContainer
+      volumes:
+        - name: providervol
+          hostPath:
+            path: "/etc/kubernetes/secrets-store-csi-providers"
+        - name: mountpoint-dir
+          hostPath:
+            path: /var/lib/kubelet/pods
+            type: DirectoryOrCreate
+      {{- with .Values.daemonset.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.daemonset.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- with .Values.daemonset.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.daemonset.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

aws/platform/modules/secrets-store-provider/chart/templates/daemonset.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "ascp.serviceAccountName" . }}
+  labels:
+    {{- include "ascp.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

aws/platform/modules/secrets-store-provider/chart/templates/serviceaccount.yaml

@@ -0,0 +1,67 @@
+# Default values for ASCP.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+nameOverride: ""
+fullnameOverride: ""
+
+daemonset:
+  image:
+    repository: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws
+    pullPolicy: IfNotPresent
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
+
+  imagePullSecrets: []
+
+  podAnnotations: {}
+
+  podSecurityContext: {}
+    # fsGroup: 2000
+
+  securityContext: {}
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # readOnlyRootFilesystem: true
+    # runAsNonRoot: true
+    # runAsUser: 1000
+
+  resources:
+    requests:
+      cpu: 50m
+      memory: 100Mi
+    limits:
+      memory: 100Mi
+
+  nodeSelector:
+    kubernetes.io/os: linux
+
+  tolerations: []
+
+  affinity: {}
+
+  # Pods will be unable to access secrets without this pod running
+  priorityClassName: system-node-critical
+
+  # Environment variables can be referenced from config using dollar syntax
+  # envFrom:
+  # - secretRef:
+  #     name: oauth-secret
+
+service:
+  type: ClusterIP
+  port: 5556
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+# Whether Role Based Access Control objects like roles and rolebindings should be created
+rbac:
+  enabled: true